Fjord Token Staking

Summary

In the FjordAuction contract a malicious user can brick the claimTokens function by ensuring the multiplier is set to 0 by ensuring the calculation of the multiplier truncates to 0 in the endAuction function.

Vulnerability Details

The critical line is: FjordAuction.sol:L197

multiplier = totalTokens.mul(PRECISION_18).div(totalBids);

This could result in a multiplier of 0 if totalTokens.mul(PRECISION_18) is less than totalBids.

The likelihood of this scenario depends on the relationship between totalTokens and totalBids. It's more likely to occur if:

1. The total number of tokens being auctioned is very small.

2. The total amount of bids is very large.

3. The PRECISION_18 constant is not large enough to prevent truncation.

Example scenario: Let's say:

• PRECISION_18 = 1e18 (a common value for 18 decimal precision)

• totalTokens = 1 (a very small number of tokens being auctioned)

• totalBids = 1e19 (a very large amount of bids)

In this case:

multiplier = 1 * 1e18 / 1e19 = 0.1

But due to integer division, this would truncate to 0.

A malicious user could exploit this by:

1. Waiting until near the end of the auction.

2. Observing the current totalTokens and totalBids.

3. Placing a large bid that ensures totalBids is sufficiently larger than totalTokens * PRECISION_18.

While this scenario is possible, it is expensive and the attacker does not gain anything, they just cause pain for others. However, it's a valid concern that should be addressed to ensure the contract behaves as it should under all conditions.

Impact

If the multiplier becomes 0:

1. The claimTokens function will always transfer 0 tokens to claimants.

2. Auction tokens will effectively be locked in the contract, as there's no other way to distribute them.

Tools Used

manual review

Recommendations

Enforce a minimum multiplier of 1